Fortinet black logo

Administration Guide

Home FortiInsight Cloud 21.2.0 Administration Guide

Searching

21.2.0
21.2.0
21.1.0
6.4.0
6.2.0
6.0.0
5.6.0
5.4.0
Copy Link
Copy Doc ID 37385887-1beb-11ec-8c53-00505692583a:589201
Download PDF

Searching

The search bar is universal across the FortiInsight user interface, and works the same way on each page.

Modes

There are two modes for the search bar: Design and Plain Text. Design mode is flexible UI approach, where you can move pills around, whereas Plain Text removes these UI elements.

Toggle between the two by switching the mode on or off. The following image shows Plain Text mode.

Design

Search pills

You conduct searches on individual fields in the data that FortiInsight stores. Each search consists of the following three pieces of criteria, which combine to form a search pill:

  1. Field to search
  2. Type of comparison to make
  3. Value to search for

The following table describes the criteria options for search pills:

Criteria

Options

Description

Field to search

The list of available search fields varies according to the type of data that you are searching for.

Select the field that you want to search.

Type of comparison to make
  • Less Than
  • Greater Than
  • Greater Than or Equal To
  • Less Than or Equal To

Matches values that fall within the comparison type that you specify. For example, Less Than matches values that are less than the value that you enter.

You can use these search types for numerical comparisons, such as searching based on port number or severity. You can also use these search types for alphabetical comparison, such as finding results that appear alphabetically later than the entered value.

Value to search for

The value that you want to search for.

You can enter more than one value by separating the values with commas.

Terms

This is a text-based search. The search pill defaults to this type of search.

You can use the following special characters for additional search control:

  • Asterisk (*): Use as a wildcard to represent one or more unknown characters.
  • Question mark (?): Use as a wildcard for a single unknown character.

Regular Expression

For advanced users, the search pill supports regular expression searches. For more information about regular expression searches, see https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-query-string-query.html#_regular_expressions

The following image shows an example of search pills.:

The following image shows an example of a comma separated list.

Creating search pills

  1. Click in the search bar.
  2. Select a field to search from the options in the drop-down list. You can also begin typing and FortiInsight narrows the options to a list of available fields.
  3. If you do not want to do a terms search, select an alternate type of comparison from the drop-down list.
  4. Enter a value to search for and press Enter.
  5. Optionally, add one or more additional search pills and modify the concatenators. (See Logical operators)

    6. The search results table updates to show the results to your search query.

You can also use values that appear in the tables on the FortiInsight UI pages to add criteria to the search bar. To add a value in the table to the search bar, right-click the value and click Add to Search. To exclude a value in the table from the search, right-click the value and click Exclude from Search.

Logical operators

FortiInsight search pills support the use of logical operators, which include concatenators and modifiers.Concatenators are used to join search pills together in the search bar. Modifiers are used to modify an existing search pill, and can be used in combination with concatenators.

The following operators can be used in your searches:

  • AND: Both search pills joined with this concatenator must evaluate as true in order for a search result to be returned.
  • OR: Either of the search pills joined with this concatenator can evaluate as true in order for a result to be returned. To use the OR concatenator, either type OR and press Enter between search pills or click on an existing concatenator to cycle between AND and OR concatenators.
  • NOT: Exclude values from the search by preceding the search pill with a NOT modifier. To use the NOT modifier, before you enter a pill, type NOT and press Enter.

The following image shows an example of the AND and NOT operators:

Grouping search pills

You can use parentheses to group search pills and specify operator precedence to construct complex queries. To group search pills, type an open parenthesis, enter the search pills, and type a close parenthesis. If you do not enter parentheses, the search bar intelligently adds brackets behind the scenes to interpret your query.

The following image shows an example of grouping search pills.

Plain text

Plain text mode allows you to build your search without using the Searchbar Pills. In this raw format, plain text removes all the UI elements from the searchbar - including things like draggable pills, in pill replacements.

Note

Plain text operators are the same as those of design search. See above.

Limiting searches to a specific date range

By default, FortiInsight carries out the searches over an open period of time, searching all the data that is held within its index. Policy Alert and AI Alert pages are the exception, where the default search is performed over the current week only. You can limit searches to begin at a specific date, end at a specific date, or search within a date range.

  • To have the search begin at a specific date, specify the start date in the From date range box.
  • To have the search end at a specific date, specify the end date in the To date range box.
  • To search within a specific date range, specify a start and end date in the date range boxes.

The following image shows the date range boxes.

Copying and pasting search queries

You can copy and paste search bar entries across the FortiInsight UI. This means that you can use the same search query in different areas of the FortiInsight UI without having to re-type it. For example, you can copy a query from a new Policy being created and past it to the Threat Hunting page without having to retype the search criteria. This helps to save time when you use large, complex search queries.

The search bar copy and paste function intelligently recognizes the fields that are supported by the area of the tool, and will warn you if any fields are not supported within the pasted section of FortiInsight.

  1. Click the copy icon in the search bar.

    The following image shows the Copy Search icon:

  2. Navigate to the screen that you want to move the search query to.
  3. Click the paste icon in the search bar.

    The following image shows the Paste Search icon:

Deleting a search pill

To delete a search pill, place your cursor to the right of the search pill, and press Backspace.

Clearing a search

To clear your current search, click the x icon at the end of the search bar.

Last searches

Access a list of your ten latest searches by clicking the Last Searches icon at the end of the search bar. Select a search from the list to run that search again.

The following image shows an example of a list of Last 10 searches:

Sticky searches

In the FortiInsight UI, searches are sticky within a particular data type. This means that when you search events, the search bar on other UI pages that search events autopopulate with the last search that you entered.

Searches are sticky across FortiInsight sessions. This means that the search bar autopopulates with the last search that you entered from the previous session.

To clear a prefilled search from the search bar, click the x at the end of the search bar.

Finding related events

To help you explore events that may be connected, and potentially provide further information and context, you can see events that occurred around the same time as a specific event.

  1. Right-click on the timestamp of an event.
  2. Select Find Items Around This Time.

FortiInsight narrows the list to events that occurred within a five minute radius (five minutes before to five minutes after) of the event that you selected.

Summary tables

Summary tabs and tables are available on some pages in the FortiInsight UI and provide an overview of your search results. You can reveal summary tables below the search bar on the Alerts and Threat Hunting pages.

The following image shows an example of the summary tabs.

Converting a threat hunting search into a policy

When you perform a search on the Threat Hunting page, you can convert your search into a policy for automatic alerting on the criteria in the future. To convert a threat hunting search into a policy that will generate future alerts, click Create Policy.

Table settings

To configure tables, select the table settings icon located to the top right of the table.

The settings allows you to configure the table to show default number of rows per page (10, 50, 100, 250 or 500) and which columns should show by default, the image below is for the Live event table. These settings will be remembered across your logged in sessions on FortiInsight.

Previous
Next

Searching

The search bar is universal across the FortiInsight user interface, and works the same way on each page.

Modes

There are two modes for the search bar: Design and Plain Text. Design mode is flexible UI approach, where you can move pills around, whereas Plain Text removes these UI elements.

Toggle between the two by switching the mode on or off. The following image shows Plain Text mode.

Design

Search pills

You conduct searches on individual fields in the data that FortiInsight stores. Each search consists of the following three pieces of criteria, which combine to form a search pill:

  1. Field to search
  2. Type of comparison to make
  3. Value to search for

The following table describes the criteria options for search pills:

Criteria

Options

Description

Field to search

The list of available search fields varies according to the type of data that you are searching for.

Select the field that you want to search.

Type of comparison to make
  • Less Than
  • Greater Than
  • Greater Than or Equal To
  • Less Than or Equal To

Matches values that fall within the comparison type that you specify. For example, Less Than matches values that are less than the value that you enter.

You can use these search types for numerical comparisons, such as searching based on port number or severity. You can also use these search types for alphabetical comparison, such as finding results that appear alphabetically later than the entered value.

Value to search for

The value that you want to search for.

You can enter more than one value by separating the values with commas.

Terms

This is a text-based search. The search pill defaults to this type of search.

You can use the following special characters for additional search control:

  • Asterisk (*): Use as a wildcard to represent one or more unknown characters.
  • Question mark (?): Use as a wildcard for a single unknown character.

Regular Expression

For advanced users, the search pill supports regular expression searches. For more information about regular expression searches, see https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-query-string-query.html#_regular_expressions

The following image shows an example of search pills.:

The following image shows an example of a comma separated list.

Creating search pills

  1. Click in the search bar.
  2. Select a field to search from the options in the drop-down list. You can also begin typing and FortiInsight narrows the options to a list of available fields.
  3. If you do not want to do a terms search, select an alternate type of comparison from the drop-down list.
  4. Enter a value to search for and press Enter.
  5. Optionally, add one or more additional search pills and modify the concatenators. (See Logical operators)

    6. The search results table updates to show the results to your search query.

You can also use values that appear in the tables on the FortiInsight UI pages to add criteria to the search bar. To add a value in the table to the search bar, right-click the value and click Add to Search. To exclude a value in the table from the search, right-click the value and click Exclude from Search.

Logical operators

FortiInsight search pills support the use of logical operators, which include concatenators and modifiers.Concatenators are used to join search pills together in the search bar. Modifiers are used to modify an existing search pill, and can be used in combination with concatenators.

The following operators can be used in your searches:

  • AND: Both search pills joined with this concatenator must evaluate as true in order for a search result to be returned.
  • OR: Either of the search pills joined with this concatenator can evaluate as true in order for a result to be returned. To use the OR concatenator, either type OR and press Enter between search pills or click on an existing concatenator to cycle between AND and OR concatenators.
  • NOT: Exclude values from the search by preceding the search pill with a NOT modifier. To use the NOT modifier, before you enter a pill, type NOT and press Enter.

The following image shows an example of the AND and NOT operators:

Grouping search pills

You can use parentheses to group search pills and specify operator precedence to construct complex queries. To group search pills, type an open parenthesis, enter the search pills, and type a close parenthesis. If you do not enter parentheses, the search bar intelligently adds brackets behind the scenes to interpret your query.

The following image shows an example of grouping search pills.

Plain text

Plain text mode allows you to build your search without using the Searchbar Pills. In this raw format, plain text removes all the UI elements from the searchbar - including things like draggable pills, in pill replacements.

Note

Plain text operators are the same as those of design search. See above.

Limiting searches to a specific date range

By default, FortiInsight carries out the searches over an open period of time, searching all the data that is held within its index. Policy Alert and AI Alert pages are the exception, where the default search is performed over the current week only. You can limit searches to begin at a specific date, end at a specific date, or search within a date range.

  • To have the search begin at a specific date, specify the start date in the From date range box.
  • To have the search end at a specific date, specify the end date in the To date range box.
  • To search within a specific date range, specify a start and end date in the date range boxes.

The following image shows the date range boxes.

Copying and pasting search queries

You can copy and paste search bar entries across the FortiInsight UI. This means that you can use the same search query in different areas of the FortiInsight UI without having to re-type it. For example, you can copy a query from a new Policy being created and past it to the Threat Hunting page without having to retype the search criteria. This helps to save time when you use large, complex search queries.

The search bar copy and paste function intelligently recognizes the fields that are supported by the area of the tool, and will warn you if any fields are not supported within the pasted section of FortiInsight.

  1. Click the copy icon in the search bar.

    The following image shows the Copy Search icon:

  2. Navigate to the screen that you want to move the search query to.
  3. Click the paste icon in the search bar.

    The following image shows the Paste Search icon:

Deleting a search pill

To delete a search pill, place your cursor to the right of the search pill, and press Backspace.

Clearing a search

To clear your current search, click the x icon at the end of the search bar.

Last searches

Access a list of your ten latest searches by clicking the Last Searches icon at the end of the search bar. Select a search from the list to run that search again.

The following image shows an example of a list of Last 10 searches:

Sticky searches

In the FortiInsight UI, searches are sticky within a particular data type. This means that when you search events, the search bar on other UI pages that search events autopopulate with the last search that you entered.

Searches are sticky across FortiInsight sessions. This means that the search bar autopopulates with the last search that you entered from the previous session.

To clear a prefilled search from the search bar, click the x at the end of the search bar.

Finding related events

To help you explore events that may be connected, and potentially provide further information and context, you can see events that occurred around the same time as a specific event.

  1. Right-click on the timestamp of an event.
  2. Select Find Items Around This Time.

FortiInsight narrows the list to events that occurred within a five minute radius (five minutes before to five minutes after) of the event that you selected.

Summary tables

Summary tabs and tables are available on some pages in the FortiInsight UI and provide an overview of your search results. You can reveal summary tables below the search bar on the Alerts and Threat Hunting pages.

The following image shows an example of the summary tabs.

Converting a threat hunting search into a policy

When you perform a search on the Threat Hunting page, you can convert your search into a policy for automatic alerting on the criteria in the future. To convert a threat hunting search into a policy that will generate future alerts, click Create Policy.

Table settings

To configure tables, select the table settings icon located to the top right of the table.

The settings allows you to configure the table to show default number of rows per page (10, 50, 100, 250 or 500) and which columns should show by default, the image below is for the Live event table. These settings will be remembered across your logged in sessions on FortiInsight.

Previous
Next